Finding Hacked Web Servers

Questions We Can Ask about Hacked Web Servers

Finding hacked web servers can be useful in a number of ways: Defenders can track attackers as they’re working, meaning they can quickly locate the affected hosts and immediately take action before any further damage is done; Researchers can track insecure servers and monitor trends in adversary behavior and methodology, learning from these attacks in order to hopefully prevent similar future attacks.

In this article, we’ll show you one way to find hacked web servers. There are endless methods of hunting for affected web servers and this is just one example to get you started in thinking about your efforts in this area.

Finding hacked web servers in Censys

We’ll begin with one of the simplest ways to find defaced web servers: searching for the string “hacked by”. Attackers commonly “sign their work” by writing a message on a website, such as “Hacked by [attacker handle]”. Luckily, the old-school hacker desire to gain street cred and notoriety from their work (think of it like a signature or tag on artwork/graffiti) helps defenders and researchers who are hunting for affected web servers.

Based on the search results that come back and the highlighted text, you can immediately see that we’re uncovering some gems with this approach.

Below is a partial screenshot of a defaced website that we uncovered using the approach described in this post:

Spot checking the search results can be used to confirm the value of this approach — it has a high true positive rate.

Some additional filters you may want to add in specific use cases:

If you run a network (for example a university, a hosting company, or an ISP) or need to triage reports for your clients, you can constrain this query — for example, if you work at a national CSIRT organization you can use the “location.country” index (e.g. just add “AND location.country: [your country]”).

If you’re working for a state government and helping your organization identify successful hacking events, you can use the “location.province” index - Note: while it says province, it also works for US states.

If you are running an ISP, you can add your autonomous system number using the “autonomous_system.asn” index. Using the API you can make these calls on a regular basis and keep updated as we find these servers.

For Defenders: What to do if you find hacked servers tied to your organization

Reactive version: you’re responding to a breach after the fact

If you’re doing damage control, you have a bit of a challenge ahead of you. However, there are a lot of helpful guides and tools from people who’ve been in your shoes (and there are many who have, you aren’t alone!).

As Censys doesn’t directly access any of the hosts across the Internet (we strongly believe in good Internet citizenship) we don’t collect any data on how a server is hacked, but Censys data can help you identify possible routes an adversary took. An example would be that perhaps an attacker left FTP on, which you would be able to see with a bit of forensic analysis. This creative analysis is key so that you can determine what happened to close the security gap and prevent it from happening again. Censys can give you the visibility into Internet-exposed services that you need in your threat hunting efforts and help you find attacker trails and behaviors in order to track, pivot, and protect your organization.

Initially, you’ll need to remove the problematic content (malware), restore the site from a backup, close security gaps that you’ve uncovered after tracking the attack(s), and add some security tooling around it in order to prevent future issues.

There are a few helpful resources for organizations who’ve been the victims of attacks, which may prove useful if you’re reacting to a breach — Dreamhost offers a super useful guide and Securi’s writeup, which are both great first steps. Ideally, you’d want to react by reinstalling your breached systems onto an updated, secured platform, but we realize that’s very often not a realistic option for most companies.

Think about it this way, without the knowledge that you have hacked web servers tied to your organization, attackers could continue damaging your systems for years to come. So even though finding that you’ve been affected by adversaries feels like a defeat, you’ve still done the work to locate those problematic hosts and address the security gap before it gets any bigger.

For Researchers: Discover and track trends across the Internet

If you’re a researcher, these types of trend data can be highly useful for existing research projects and you may even be able to brainstorm new projects based on some of the security trends you can uncover in Censys.

We suggest that you begin exploring interesting Internet-wide security trends by analyzing data on a global scale with Censys searches, relying on our report builder function. We can build a report from the search results we’ve uncovered earlier in this post. With those search results, we can then aggregate by host country and run a report. That report reveals that the U.S. dominates, with more than 1500 hacked servers hosted in the U.S. [insert sad bald eagle]:

But this chart on its own is misleading. If all you were to do is to take those results at face value and make interpretations around it, you’d likely draw some wrong conclusions. An important distinction to make in this report is that hosts aren’t distributed evenly around the world, so the trend data may be unfairly skewed as the US has well over half of all IPv4 addresses. This might account for these values. Think about it this way: if two countries each have 20 servers reporting “hacked by”, but the first country has 100 servers and the second has 10000, that’s a 20% rate vs a 0.2% rate of “hacked by” instances.

What you need to do is start adding context into the picture. In this example, we’ll marry two sets of results from Censys:

A query for the number of web servers with the string “Hacked by” in the page broken down by country.

When we scale the “hacked by” values (the second data set) by the number of web servers in each country (the first set), they make a lot more sense. In fact, the United States drops from the first position to somewhere in the middle.

Tables 1 and 2 break down the top 10 and bottom 10 instances of “hacked by” per capita web servers for those countries. Surprisingly Cuba and Cameroon lead the pack as a percentage of population at a rate of double the third-place country Mongolia, but that may be due to the smaller web server population in those countries.

Table 1: Top 10 Most Affected Countries per Capita Web Servers

Country

“Hacked by” rate

Cuba

0.034%

Cameroon

0.033%

Mongolia

0.017%

Namibia

0.015%

Indonesia

0.014%

Malta

0.011%

Israel

0.01%

Tunisia

0.01%

Seychelles

0.01%

Georgia

0.008%

South Korea, in contrast, and Venezuela each have the lowest rate of defaced web servers. It’s interesting to study various factors that may explain these findings, which may point to the opportunity for a broader study.

Table 2: Least 10 Affected Countries Per Capita Web Servers

Country

“Hacked by” rate

South Korea

0.00021%

Venezuela

0.00029%

Mexico

0.00039%

Taiwan

0.00041%

Austria

0.00045%

Kazakhstan

0.00049%

South Africa

0.00071%

Hungary

0.00076%

Argentina

0.00081%

Lithuania

0.00093%

These data points can lead to a larger question: what attributes, regulations, and social trends could potentially impact why Cuba, for instance, would have more hacked websites per capita than other countries. As you can imagine, Internet data alone isn’t enough to demonstrate causation, but it can be used to pull together interesting data trends to support a huge variety of research projects.

A global perspective on Internet security

Internet security data can uncover what we don’t know about our own organization, while also illuminating real-time data trends that tell a bigger story about global Internet security.

Finding hacked web servers is just a simple example that we hope will get you thinking creatively about how you can use Censys data. Our broad, global perspective and the depth of relevant security data we make searchable, you can get the visibility required to improve security,